Google wants to pay you to find bugs in popular third-party Android apps

20Oct

Google is eager to clamp down on security flaws associated with some of the most high-profile apps in its Android library, so it's enlisting white-hat hackers as a part of the effort. Should you successfully find a bug in a qualifying app on Google Play, Google will pay you nifty $1,000 for your efforts.

Google is partnering with bug bounty service HackerOne for the project, which it calls the Google Play Security Reward Program. The worldwide program currently only applies to eight popular apps such as Duolingo, Snapchat, Tinder, Headspace and Alibaba, although Google's own suite of apps for Android qualify as well.

Apps currently only qualify for inclusion in the program if their developers get an invitation from Google, but in time the Mountain View, California company plans to roll out the service on an opt-in basis.

Bug out

Nor do all bugs qualify. At the moment, Google is only interested in finding flaws that enable remote code executions (RCEs) on Android 4.4 and above. In essence, that means it's looking for bugs that allow web pages to open in an app for the purpose of phishing, or flaws that allowed the download of malicious code and the possible infection of an Android device with a virus.

It's a not-so-subtle way of forcing Android app developers to get their acts together. You're not even supposed to contact Google if you find a bug; instead, you contact the developer of the app through a form provided by HackerOne, and then the developer contacts Google once it's released a patch for the bug. Only then will you see any cash.

Google already offers similar bounties for Chromebooks and Android proper, but this marks the first time that it's extended the service to developers who use its popular operating system.